b'Mr. Joshua B. Bolten\nDirector, Office of Management & Budget\nEisenhower Executive OEce Building, Rrn 252\nWashington, DC 20503\n\n\nDear Mr. Bolten:\n\nAttached is this year\'s response to your August 2004 request of an annual systems\nsecurity review as required in the Federal Information Security Management Act\n(FISMA). Included in this submittal are summary reports from both the Chief\nTechnology Officer and the OEce of the Inspector General.\n\nPBGC is committed to protecting its information systems, network infrastructure, and\ndata. We are continuously improving information security protection and awareness\nprograms and continue to make it a major agency priority.\n\nWe will continue to closely monitor the progress of our information security activities to\nensure our compliance with the FISMA and other related government security policies\nand directives.\n\nTf your staff needs more information, please do not hesitate to have them contact Joe\nScavetti, PBGC\'s Enterprise Information Systems Security Program Manager, Ofice of\nInformation Technolog, at (202) 326-4 100 extension 3997.\n\nVery truly yours,\n\n\n\nRichard W. Hartt\nChief Technology OEcer\n\n\n\nCc: Robert L. Ernmons (Inspector General)     /"\n\x0c                                  Executive Summary\n                             OEce of Information Technology\n\n PBGC continues to improve its system security infrastructure and posture in compliance\n with the Federal Information Security Management Act of 2002. Since last year\'s\n reporting period, PBGC has improved the Enterprise Information Systems Security\n Program (EISSP) led by the Information Systems Security OEcer. The EISSP ensures\n the following activities are conducted, monitored, and evaluated:\n     * Periodic assessments of general support and major business application;\n          Annual Security Plan updates;\n          Establish policy and procedures based on risk assessments that cost effectively\n          reduce information security through exercising the System Life Cycle\n         Management process;\n         Improve security of the facilities, network operation, and information systems\n         through periodic inspections;\n         Improve Security Awareness Training by implementing Computer Base Training\n         and briefings with awareness videos for its annual training and newly hired\n         personnel;\n         Conduct periodic testing and evaluation of the effectiveness of security policies,\n         procedures, and practices;\n         Improve security awareness for detecting, reporting, and responding to security\n         incidence; and\n        Conduct exercises to test continuity of operations for general support and major\n        business systems.\n\nDuring FY2004, PBGC continued to improve its monitoring and auditing process, review\nand update its security plans, perform semi-annual certifications of its system servers to\nensure implementation of curre? seculitv updates. Our review cycle f ~ thk   r repwtiy\nperiod will be completed by November 30,2004. Also during FY2004,PBGC was able\nto certify nine major applications bringing to total to twenty out of twenty-four. It is\nanticipated that four more will be completed by the end of this calendar year. PBGC will\ncontinue with its three year cycle of system certifications to ensure the security of its\nsystem applications and to compiy with FISMA regulations. PBGC continues to work\nwith the Office of the Inspector General and its auditing representatives to resolve any\nanomalies that may potentially render PBGC assets or its information systems vulnerable.\n\n\n      *.\n           ."   -\n                \'\n    ..-\nRichard Hartt\nChief Technology Officer\n\x0c                        Pension Benefit Guaranty Corporation\n                                                        Office of Inspector General\n                                        1 200 K Street. N.W., W a s h i n g t o n , D.C. 20005-4026\n\n\n                                                                               October 12,2004\n\n\n Mr. Joshua B. Bolten\n Director, Office of Management and Budget\n Eisenhower Executive Office Building, Rrn 252\n Washington, DC 20503\n\n Dear Mr. Bolten:\n        The Office of Inspector General (OIG) at the PBGC conducted independent\nreviews of information and technology security as an integral part of its FY 2004 audit\nand assessment work. Included in this work was the review of general controls and\nspecific application control reviews associated with the annual financial statement audit.\nThese reviews generally followed the guidance provided within the GAOYsFederal\nInformation System Controls Audit Manual (FISCAM) and reflected the impact of these\ngenera1 controls on PBGC\'s significant financial systems. Specifically, the areas of\nreview included:\n        Entity Wide Security (overall security program),\n        Access Control (authorization, authentication, monitoring, and integrity),\n        Service Continuity (contingency and business recovery planning),\n        Systems Software (security and operational controls related to the computer\n        platforms on which the business systems operate, i.e., UNIX, Windows NT,\n        Yov:!l, ztc.),\n    6   Application Development and Change Control (system life cycle management,.\n        new system development, and maintenance to existing systems), and\n        Application Controls (completeness, access, validity, and specialized access as\n        they relate to input, output and processing controls).\n\n        Over the past years, the OIG and PBGC focused on improving the effectiveness\nof the Corporation\'s security program and reducing the associated risks on the business\noperations. This included several specific security reviews performed by the OIG such as\nnetwork attack and penetration testing, a comprehensive review of security policy and\nprocedures, as well as business system assessments and the control structure surrounding\nthose systems.\n\n\n        Based on our current assessment, we believe PBGC has a security structure,\nprogram and policies in place addressins operational and physical controls that have\nimproved and promoted a strong security-related environment. PBGC continues to take\nsignificant steps to identify levels of security required to control and protect its assets and\n\x0cLetter to Joshua Bolton\nFY 2004 FISMA Report\nPage 3 of 3\n                                                                                            \'\ninformation, and further improve its security program. A significant example of this\nimprovement is evidenced by the restructuring of the Office of Information Technology\n                                                                                                \'\nthat included the realignment of the Information Systems Security Officer (ISSO) to\nreport directly to the Chief Technology Officer (CTO).\n\n\n        The security environment is dynamic and requires constant attention and\nassessment not only by the OIG, but a committed assessment program on the part of\nPBGC. Our assessments were designed to address authorization, authentication of users,\naccess controls, along with auditability and accountability over financial and privacy\ninformation. The results of these reviews have led to the development of specific\ncorrective actions and improvements in the overall security program in place at PBGC\ntoday. Current reviews conducted by the OIG reflect progress being made related to\nsecurity while at the same time highlight the fact that security is not a one time fix,\nspecifically in areas such as the monitoring and enforcement of established security\npolicies and procedures.\n\n       The following items are examples of the progress made at PBGC and highlight\nthe continued need for improvement:\n       All major business and general support systems either have or are in the process\n       of having documented security plans that generally adhere to the guidance\n       provided in NIST 800- 18.\n\n       The OIG has performed reviews of the policies and procedures PBGC has\n       developed and implemented to promote security. Work continues on the\n       enhancement of the Enterprise Information Systems Security Program\n       implemented in FY 2003.\n\n      With respect to Continuity of Operations (COOP), PBGC continues to make a\n      concerted effort to resolve the outstanding issues related to a contingency1\n      business continuity plan that ensures recovery of its operations and is tested at\n      least annually. To date, PBGC has not tested the recovery of its entire operations.\n      However, during FY 2004, PBGC did conduct testing that included a shelter-in-\n      place exercise, a walk-through of system use at an alternate site, and the systems\n      recovery of two significant business processes (one of which involved its major\n      program responsibility - the payment of participant benefits). Although all results\n      could not be considered successful, all tests were positive steps in resolving\n      PBGC\'s COOP issues and all produced encouraging results.\n\n      A major area of concern to the OIG has been the progress on the certification and\n      accreditation of PBGC7smajor business and general support systems, an issue\n      that has been noted in every report to OMB since the requirement was first\n      established. PBGC has developed and implemented a plan to evaluate its major\n      business and general support systems over a three-year period. This generally\n      complies with OMB A- 130 guidance. However, discussions have taken place and\n\x0c Letter to Joshua Bolton\n FY 2004 FISMA Report\n P a ~ 3e of 3\n\n         management has agreed that the process in place requires si-gnificant improvement\n         to hlly comply with existing and future requirements such as NIST 800-37.\n\n         In past audits, the OIG has reported to PBGC internal control and operational\n conditions regarding information security to the extent that it has been considered a\n reportable condition. It is encouraging to see the progess being made in areas such as\n organizational responsibility and system monitoring, and we look forward to continued\n improvements. To aid PBGC in their efforts, the OIG tracks outstanding issues and\n recommendations as part of its compliance with OMB A-50, in addition to the POA&M\n submitted to OMB as part of this report and the required quarterly updates. This will\n provide PBGC with another mechanism to monitor progress on and final disposition of\n corrective actions for these issues.\n\n        We are also encouraged that management continues its work on a major effort to\nintegrate financial systems that will provide the potential to improve operational\nefficiency and effectiveness as well as data security. Significant progress was made in\ndeveloping a plan for addressing this issue during FY 2004, and we anticipate further\nprogress in FY 2005.\n\n        To further assist PBGC with its security development program, the OIG will\ncontinue to perform independent evaluations on an annual basis in addition to scheduled\naudit projects. These evaluations and audit projects will include, but not be limited to,\nthe following:\n             the annual financial statement audit that includes evaluating the general\n             controls of PBGC including security for its financial systems,\n\n        a    targeted application reviews other than those included in the annual financial\n             statc:m.entarclit,\n\n             targeted independent audits and evaluations of PBGC\'s compliance with\n             applicable guidance, and\n\n             reviews of contractor-provided services, as well as services from other\n             agencies.\n\nSincerely,\n\n\n\nRoben L. Emmons\nInspector General\n\x0c'